Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » iPlanet WebServer, remote root compromise

iPlanet WebServer, remote root compromise

by Nikola Strahija on November 19th, 2002 Platform(s): Unix & Windows OSs.


Overview:
- ----------

Under certain circumstances an attacker can execute commands (usually
as root), using the combination of two security vulnerabilities on
iPlanet Web Server 4.* up to SP11 (NG-XSS).

These two vulnerabilities are:

- Insecure open()s at Admin Server PERL scripts
- Cross Site Scripting

The only need will be, through social skills, to have the Administrator
review the logs within iPlanet Admin Server.

This vulnerability can not be exploited on a 6.* version because XSS
was silently fixed in these releases.

Find a detailed vulnerability analysis of NG-XSS on iPlanet WebServers
in our WhitePaper "iPlanet NG-XSS Vulnerability Analysis" at:

http://www.ngsec.com/ngresearch/ngwhitepapers/


Technical description:
- -----------------------

If we consider each vulnerability alone, we have no chance to execute
commands at the iPlanet Web Server since XSS payload is Browser Hijacking
and the vulnerable PERL script is protected by an authentication schema.

iPlanet Web Server suffers from a XSS vulnerability when the Administrator
reviews the error logs through iPlanet Admin Server. XSS triggers once
the Administrator has successfully logged on the Admin Server.

The trick is not to exploit the open() PERL vulnerability directly, but
use instead the XSS to redirect the Administrator's browser to the URL
that will cause the open() command injection.
Since he is already authenticated, we bypass the authentication schema.

We will use the following Javascript code:




Proof of vulnerability:
- ------------------------

Find an exploit for this vulnerability at:

http://www.ngsec.com/ngresearch/ngadvisories/

There is a case study exploitation (sending the attacker an xterm) with
some screenshots, in the aboved mentioned WhitePaper.


Recommendations:
- -----------------
Avoid iPlanet's Admin Server usage, until Sun releases a patch for
these vulnerabilities. Alternatively upgrade to iPlanet v.6.*

This vulnerability could not have been exploited on a NGSecureWeb(r)
protected iPlanet Web Server.

Find more information on NGSecureWeb features at:

http://www.ngsec.com/ngproducts/ngsw/

- --
More security advisories at: http://www.ngsec.com/ngresearch/ngadvisories/
PGP Key: http://www.ngsec.com/pgp/labs.asc

Copyright(c) 2002 NGSEC. All rights reserved.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »